Hi Kostas,
Surely you are right - the basic proxy (grid-proxy part) will still be valid
for any period user decided to create it for, and just the voms attributes
will expire after 24 hours due to the limitations of the VOMS server that
should be in place. In fact, lifetimes of the underlying proxy and its voms
attributes can be set separately (using -valid and -vomslife switches).
In practice, where still authorization for many things depends on classical
static (non-VOMS enabled) grid-mapfile, this means that the potential abuser
would not have any problems utilizing the voms-proxy with voms attributes
expired (basically, using it as a grid-proxy). Of course, if a person is a
member of two or more VOs, just one VO could be used by the abuser (and it
would depend on the local mapping, which can vary from site to site). However,
orientation towards VOMS-enabled services should prevent this in the future -
when authorization on all Grid services is made VOMS-enabled, possible
problems would disappear.
So, currently, although voms-proxies with expired voms attributes still can be
abused, in no way VOs should be encouraged to extend allowed voms lifetimes.
This would again develop bad habits which slowly just started to change...
Best regards, Antun
-----
Antun Balaz
Research Assistant
E-mail: [log in to unmask]
Web: http://scl.phy.bg.ac.yu/
Phone: +381 11 3713152
Fax: +381 11 3162190
Scientific Computing Laboratory
Institute of Physics, Belgrade, Serbia
-----
---------- Original Message -----------
From: Kostas Georgiou <[log in to unmask]>
To: [log in to unmask]
Sent: Wed, 25 Jul 2007 15:03:12 +0100
Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy before the end of job.
> On Tue, Jul 24, 2007 at 07:01:18PM +0200, Antun Balaz wrote:
>
> > Hi to all,
> >
> > This is certainly not a way to go! In order to increase the allowed lifetime
> > of a VOMS proxy for EGEE VOs, the permission must be asked from Joint Security
> > Policy Group (JSPG), since this is clearly related with the security issues
> > (voms-proxies can be subjects of abuse; the longer their lifetime, the longer
> > possible abuse).
>
> I am probably missing something since I haven't looked clearly at
> VOMS but AFAIK the VOMS servers just adds an attribute to the user
> proxy. It is that attribute that expires and not the proxy. Since
> the attribute is only there to say "this proxy (if still valid) has
> X role" I can not really see how it can be abused beyond the delay
> that'll you get when a role is removed from a user. Surely what is
> important is the proxy
> (which can still have any lifetime) and not the attribute. What
> abuse scenarios do you have in mind? Maybe I am missing something somewhere.
>
> Cheers,
> Kostas
------- End of Original Message -------
|